Remote upgrades of firewalls
Hi, We have a few firewalls used at our main office as well as remote offices based on SuSE 7.1. In anticipation of the support (security pathces) for SuSE 7.1 being dropped within the next couple of months, I'm looking into upgrading these machines to 8.1. The machines are basically running a firewall based on SuSEfirewall and ipchains (2.2 kernel), ipsec, ssh and named. The machine at the main office is also doing mail routing (sendmail) and webtraffic routing to DMZ servers. What I'm looking for here are some experiences upgrading from 7.1 to 8.1. What can go wrong (especially on remote machine which I can only access through ssh) ? Can I still use SuSEfirewall or do I need to convert to SuSEfirewall2 ? Thanks -- Daniel Nilsson Signal Integrity Software Inc.
What I'm looking for here are some experiences upgrading from 7.1 to 8.1. What can go wrong (especially on remote machine which I can only access through ssh) ? You can't update remote, because the system must not be active while the
On Jan 2, Daniel Nilsson
Can I still use SuSEfirewall or do I need to convert to SuSEfirewall2 ? You will have to convert to SuSEfirewall2, because fw1 doesn't support iptables, I think.
If I were you, I'd setup the new system on a new Harddisk (machines with SuSE 7.1 don't have new hard disks anyway, so it's time to change ;) and when everything is configured, change the disks (or copy the partitions, if the old HDD is good enough). I won't have to tell you about backups, do I? At least make a copy of /etc, /var and /usr/local. In general, updating from 7.1 to 8.1 probably won't work very good because they differ far too much. A firewall doesn't have much config on it anyway, so it is easier to start with a fresh installation. kind regards, Markus Gaugusch -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \ Linux 2.4.19-4GB * Now playing Disturbed - 03 - Stupify
Markus Gaugusch wrote:
On Jan 2, Daniel Nilsson
wrote: What I'm looking for here are some experiences upgrading from 7.1 to 8.1. What can go wrong (especially on remote machine which I can only access through ssh) ?
You can't update remote, because the system must not be active while the base packages are updated. Although I did this once, I don't recommend it. Touching something sensitive like a firewall (at least sensitive to the connectivity of the company using it), and doing it remote, possibly breaking the connection during update is just stupid.
Well, the systems are 2000 miles away and in multiple location. I do have personnel in place at these location, they are however not trained Linux admins but can type commands if I tell them what to type... I agree that the situation is not optimal, but it seldom is in the real world where companies are limited by resources and money. If my conclusion is that it's impossible to do this remote I need to travel to install these systems, and I'd like to spend a little more time trying to figure out if this is at all possible before I reach that conclusion.
Can I still use SuSEfirewall or do I need to convert to SuSEfirewall2 ?
You will have to convert to SuSEfirewall2, because fw1 doesn't support iptables, I think.
If I were you, I'd setup the new system on a new Harddisk (machines with SuSE 7.1 don't have new hard disks anyway, so it's time to change ;) and when everything is configured, change the disks (or copy the partitions, if the old HDD is good enough). I won't have to tell you about backups, do I? At least make a copy of /etc, /var and /usr/local.
I was actually thinking about this option as well, I could make an image of the system and bring that image back here. Then build an identical system here and upgrade it. Or reinstall a new system here and ship the harddrive. Problem is just that I don't have skilled people on-site to install the new harddrives... Other options include using another UNIX system on-site (I have Solaris machines is all locations) and put a modem on that machine, then I should be able to use a serial console to control the firewall. This may seem involved, but the time and money to travel and do the updates on-site makes it worth while investigating.
In general, updating from 7.1 to 8.1 probably won't work very good because they differ far too much. A firewall doesn't have much config on it anyway, so it is easier to start with a fresh installation.
This is actually the question that I'd like some help with from this mailing list. What works, what doesn't work ? Thanks -- Daniel Nilsson Signal Integrity Software Inc.
participants (2)
-
Daniel Nilsson
-
Markus Gaugusch